This paper revisits a previously proposed authentication scheme for remote healthcare systems in Cloud-IoT. Although that protocol was introduced as a repair of an earlier healthcare design and was claimed to satisfy the usual confidentiality and mutual-authentication goals, a closer reconstruction of its registration, login, authentication, and password-update logic reveals several structural weaknesses. The analysis shows that a stolen smart card combined with one captured transcript enables offline password verification, that the session key is deterministic for a fixed user-sensor pair, that static pseudonyms expose long-term linkability, and that compromise of the server-wide secret expands immediately to all registered sensors. To address these problems, the core key-management path is redesigned while keeping the original cloud-assisted remote healthcare architecture. The revised scheme uses a device-bound seed only for local recovery, a fresh elliptic-curve Diffie-Hellman exchange for every run, dynamic pseudonyms, and KDF-based session-key derivation with explicit context binding. A comparative evaluation against the Sharma-Kalra baseline and the 2021 Azrour design indicates that the revised protocol raises resistance to guessing, replay, cross-session correlation, and compromise propagation with only modest latency growth.
Haewon Byeon (Thu,) studied this question.